Welcome to the 'Scan of the Month' challenge. The purpose of these challenges
are to help the security community develop the forensic and analysis skills to
decode real attacks. It can be difficult finding real attacks that you can analyze
and share your results with the community. These challenges address that problem.
This is done by taking attacks we have captured in the wild and challenging the
security community to decode them. Unfortunately, due to resource
limitations, we can no longer provide a new challenge every month.
Send all submissions via email to
[email protected]. Please send all submissions in .txt, .html, or .pdf format.
If it is in .txt format, make sure it is formated for browsers. Remember, your
documentation will be posted on a Unix webserver, do NOT have spaces in your
filenames! If you have multiple files, please .gz or .bz2 them into a single,
compressed file. Do NOT use .zip compression, our SPAM filters will deny any
.zip attachments. If a specific SotM challenge receives more the thirty submission,
we can only post the Top 25 due to limited time and resources.
*NOTE* Most of the code, files, and images supplied in the Scan of the Month
challenges are real, malicious items found in the wild. These files were designed by
attackers to cause harm. As always, use best practices to securely analyze these challenges
so as not to cause harm to yourself. The Honeynet Project makes no warranties
about the challenges, nor is it responsible for any damages caused by these
The grading is based on following issues: Hint: To get placed in the Top entries, not
only do you have to have all correct answers, BUT you must document in-depth all your
tools and techniques, in an easy to understand format. Remember, the goal is not only
for you to learn, but for others to learn from your work. If someone can't understand
your documentation, it is of little value to anyone.
One point for each correctly answered question of the challenge
Do you show the methods used to analyze the data and obtain your conclusions (5 points).
How easy is it to read and understand your submission, use of whitespace, format,
organization, etc (5 points).
The depth of the technical information and analysis you provide (5 points).
Note: You do not get any points for the Bonus question, its is used only to
break any ties in judging.
Scans 1 - 19
Scan 20 - Solaris dtspcd attack.
Scan 21 - Obfuscated UDP network sweep.
Scan 22 - Determine why the Reverse Challenge attacker was breaking into systems.
Scan 23 - The very first challenge for beginners, decode a network scan.
Scan 24 - Recover and analyze captured evidence from a floppy.
Scan 25 - Analyze a worm recovered by a Honeynet.
Scan 26 - Continuation from SotM24, investigate the drug supplier Jimmy Jungle
Scan 27 - Indepth analysis of a Win2000 compromise, part of a large botnet.
Scan 28 - Italian blackhats break into a Solaris server then enable IPv6 tunneling for communications.
Scan 29 - One of our most unique challenges, analyze a live hacked Linux system.
Scan 30 - Analyze a month of honeynet firewall logs.
Scan 31 - Discover how an OpenProxy is abused.
Scan 32 - Analyze a Malware binary.
Scan 33 - Advanced reverse engineering challenge.
Scan 34 - Analyze real honeynet logs for attacks and activity.
All binary network captures are in pcap format. The Honeynet Project recommend
you use either Snort or
Ethereal to read and analyze the these files. To help you decode the signatures, the following
RFC's are provided. If you want to learn more about decoding TCP/IP, we highly recommend
TCP/IP Illustrated, Volume 1, by Richard Stevens.
IP - RFC 791
ICMP - RFC 777
TCP - RFC 793
UDP - RFC 768